Conflicting frontend and backend logout

PHP
1

hi all

I am getting logged-out of my backend on visitng logout.php of frontend

We have login system on website frontend for customers to login.

Then we have separate login system for backend control panel.

i registered my self as customer on frontend and tried to login.

i was able to login.

**Then on clicking the logout link on the frontend i got logged-out of my backend **
control panel which was opened in another tab ??

i am not able to understand why this is happening ??

this is my logout.php for frontend

$_SESSION = array(); 
if (isset($_COOKIE[session_name()])) {
        setcookie(session_name(), '', time()-42000, '/');
    }
session_unset();
session_destroy();

vineet

2

You are already killing the session on both ends. If you just want to kill one session variable, you should just unset that variable instead of killing the entire session. I assume that this isn’t on different domains so they will share the same session.

3

you mean if i have 5 session variables then i should unset the 5 variables one by one ??

vineet

4

is is possible to exclude this one backend admin session from session array ??

vineet

5

No, if they all share the same domain and not subdomain, then they will also share the same sessions.

6

hi spaceshiptrooper

how do you keep record or track of session variables ??

there can be many session variables on different pages ??

In logout page do you only unset the login session variable and keep other session variables as it is ??

or you unset all session variables in logout page ??

vineet

7

Well, in your situation, it’s different. It sounds like you have a regular login page for normal users and an admin login page that can be accessed by anyone, but requires an admin account. If this is so, you want to keep the session variable different from another one since you don’t want to initially log out the normal user if you happen to log off the admin account. So, the only way I can see coming out of this is manually unsetting the variable based on the page.

Say normal user logs into their account via login.php, they go to whatever URI you redirect them to. And the same user logs into their account via admin/login.php and successfully logs into that page since they are an admin. What you don’t want to do is log off on admin/logout.php and then happen to log off the main website too.

Though I recommend just integrating this into it because it would be a much more secure system if the admin gets logged off via admin/index.php, then it would also log them off on the main website too. This is to avoid any security breach so no non-admin users can go around and screwing up people’s accounts.

8

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.